Premium Edition eBook

The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

The exciting new CCNA Security 640-554 Official Cert Guide, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:

The CCNA Security 640-554Premium Edition Practice Test, including four full practice exams (over 250 questions) and enhanced practice test features

PDF and EPUB formats of the CCNA Security 640-554 Official Cert Guide from Cisco Press, which are accessible via your PC, tablet, and Smartphone

About the Premium Edition Practice Test

This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with four full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package:

Allows you to focus on individual topic areas or take complete, timed exams

Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions

Provides unique sets of exam-realistic practice questions

Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Pearson IT Certification Practice Test minimum system requirements:

Windows XP (SP3), Windows Vista (SP2), or Windows 7;

Microsoft .NET Framework 4.0 Client;

Pentium class 1GHz processor (or equivalent);

512 MB RAM;

650 MB disc space plus 50 MB for each downloaded practice exam

About the Premium Edition eBook

CCNA Security 640-554 Official Cert Guide is a best of breed Cisco exam study guide that focuses specifically on the objectives for the CCNA Security IINS exam. Cisco Certified Internetwork Experts (CCIE) Keith Barker and Scott Morris share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNA Security 640-554 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

This eBook comes complete with 90 minutes of video training on CCP, NAT, object groups, ACLs, port security on a Layer 2 switch, CP3L, and zone-based firewalls. See the last page of the eBook file for instructions on downloading the videos.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

This official study guide helps you master all the topics on the CCNA Security IINS exam, including:

Network security concepts

Security policies and strategies

Network foundation protection (NFP)

Cisco Configuration Professional (CCP)

Management plane security

AAA security

Layer 2 security threats

IPv6 security

Threat mitigation and containment

Access Control Lists (ACLs)

Network Address Translation (NAT)

Cisco IOS zone-based firewalls and ASA firewalls

Intrusion prevention and detection systems

Public Key Infrastructure (PKI) and cryptography

Site-to-site IPsec VPNs and SSL VPNs

Table of Contents

Introduction xxv

Part I Fundamentals of Network Security

Chapter 1 Networking Security Concepts

“Do I Know This Already?” Quiz 5

Foundation Topics 8

Understanding Network and Information Security Basics 8

Network Security Objectives 8

Confidentiality, Integrity, and Availability 8

Cost-Benefit Analysis of Security 9

Classifying Assets 10

Classifying Vulnerabilities 11

Classifying Countermeasures 12

What Do We Do with the Risk? 12

Recognizing Current Network Threats 13

Potential Attackers 13

Attack Methods 14

Attack Vectors 15

Man-in-the-Middle Attacks 15

Other Miscellaneous Attack Methods 16

Applying Fundamental Security Principles to Network Design 17

Guidelines 17

How It All Fits Together 19

Exam Preparation Tasks 20

Review All the Key Topics 20

Complete the Tables and Lists from Memory 20

Define Key Terms 20

Chapter 2 Understanding Security Policies Using a Lifecycle Approach

“Do I Know This Already?” Quiz 23

Foundation Topics 25

Risk Analysis and Management 25

Secure Network Lifecycle 25

Risk Analysis Methods 25

Security Posture Assessment 26

An Approach to Risk Management 27

Regulatory Compliance Affecting Risk 28

Security Policies 28

Who, What, and Why 28

Specific Types of Policies 29

Standards, Procedures, and Guidelines 30

Testing the Security Architecture 31

Responding to an Incident on the Network 32

Collecting Evidence 32

Reasons for Not Being an Attacker 32

Liability 33

Disaster Recovery and Business Continuity Planning 33

Exam Preparation Tasks 34

Review All the Key Topics 34

Complete the Tables and Lists from Memory 34

Define Key Terms 34

Chapter 3 Building a Security Strategy

“Do I Know This Already?” Quiz 37

Foundation Topics 40

Securing Borderless Networks 40

The Changing Nature of Networks 40

Logical Boundaries 40

SecureX and Context-Aware Security 42

Controlling and Containing Data Loss 42

An Ounce of Prevention 42

Secure Connectivity Using VPNs 43

Secure Management 43

Exam Preparation Tasks 44

Review All the Key Topics 44

Complete the Tables and Lists from Memory 44

Define Key Terms 44

Part II Protecting the Network Infrastructure

Chapter 4 Network Foundation Protection

“Do I Know This Already?” Quiz 49

Foundation Topics 52

Using Network Foundation Protection to Secure Networks 52

The Importance of the Network Infrastructure 52

The Network Foundation Protection (NFP) Framework 52

Interdependence 53

Implementing NFP 53

Understanding the Management Plane 55

First Things First 55

Best Practices for Securing the Management Plane 55

Understanding the Control Plane 56

Best Practices for Securing the Control Plane 56

Understanding the Data Plane 57

Best Practices for Protecting the Data Plane 59

Additional Data Plane Protection Mechanisms 59

Exam Preparation Tasks 60

Review All the Key Topics 60

Complete the Tables and Lists from Memory 60

Define Key Terms 60

Chapter 5 Using Cisco Configuration Professional to Protect the Network Infrastructure

“Do I Know This Already?” Quiz 63

Foundation Topics 65

Introducing Cisco Configuration Professional 65

Understanding CCP Features and the GUI 65

The Menu Bar 66

The Toolbar 67

Left Navigation Pane 68

Content Pane 69

Status Bar 69

Setting Up New Devices 69

CCP Building Blocks 70

Communities 70

Templates 74

User Profiles 78

CCP Audit Features 81

One-Step Lockdown 84

A Few Highlights 84

Exam Preparation Tasks 88

Review All the Key Topics 88

Complete the Tables and Lists from Memory 88

Define Key Terms 88

Command Reference to Check Your Memory 89

Chapter 6 Securing the Management Plane on Cisco IOS Devices

“Do I Know This Already?” Quiz 91

Foundation Topics 94

Securing Management Traffic 94

What Is Management Traffic and the Management Plane? 94

Beyond the Blue Rollover Cable 94

Management Plane Best Practices 95

Password Recommendations 97

Using AAA to Verify Users 97

AAA Components 98

Options for Storing Usernames, Passwords, and Access Rules 98

Authorizing VPN Users 99

Router Access Authentication 100

The AAA Method List 101

Role-Based Access Control 102

Custom Privilege Levels 103

Limiting the Administrator by Assigning a View 103

Encrypted Management Protocols 103

Using Logging Files 104

Understanding NTP 105

Protecting Cisco IOS Files 106

Implement Security Measures to Protect the Management Plane 106

Implementing Strong Passwords 106

User Authentication with AAA 108

Using the CLI to Troubleshoot AAA for Cisco Routers 113

RBAC Privilege Level/Parser View 118

Implementing Parser Views 120

SSH and HTTPS 122

Implementing Logging Features 125

Configuring Syslog Support 125

SNMP Features 128

Configuring NTP 131

Securing the Cisco IOS Image and Configuration Files 133

Exam Preparation Tasks 134

Review All the Key Topics 134

Complete the Tables and Lists from Memory 135

Define Key Terms 135

Command Reference to Check Your Memory 135

Chapter 7 Implementing AAA Using IOS and the ACS Server

“Do I Know This Already?” Quiz 137

Foundation Topics 140

Cisco Secure ACS, RADIUS, and TACACS 140

Why Use Cisco ACS? 140

What Platform Does ACS Run On? 141

What Is ISE? 141

Protocols Used Between the ACS and the Router 141

Protocol Choices Between the ACS Server and the Client (the Router) 142

Configuring Routers to Interoperate with an ACS Server 143

Configuring the ACS Server to Interoperate with a Router 154

Verifying and Troubleshooting Router-to-ACS Server Interactions 164

Exam Preparation Tasks 171

Review All the Key Topics 171

Complete the Tables and Lists from Memory 171

Define Key Terms 171

Command Reference to Check Your Memory 172

Chapter 8 Securing Layer 2 Technologies

“Do I Know This Already?” Quiz 175

Foundation Topics 178

VLAN and Trunking Fundamentals 178

What Is a VLAN? 178

Trunking with 802.1Q 180

Following the Frame, Step by Step 181

The Native VLAN on a Trunk 181

So, What Do You Want to Be? (Says the Port) 182

Inter-VLAN Routing 182

The Challenge of Using Physical Interfaces Only 182

Using Virtual “Sub” Interfaces 182

Spanning-Tree Fundamentals 183

Loops in Networks Are Usually Bad 184

The Life of a Loop 184

The Solution to the Layer 2 Loop 184

STP Is Wary of New Ports 187

Improving the Time Until Forwarding 187

Common Layer 2 Threats and How to Mitigate Them 188

Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 188

Layer 2 Best Practices 189

Do Not Allow Negotiations 190

Layer 2 Security Toolkit 190

Specific Layer 2 Mitigation for CCNA Security 191

BPDU Guard 191

Root Guard 192

Port Security 192

Exam Preparation Tasks 195

Review All the Key Topics 195

Complete the Tables and Lists from Memory 195

Review the Port Security Video Included with This Book 196

Define Key Terms 196

Command Reference to Check Your Memory 196

Chapter 9 Securing the Data Plane in IPv6

“Do I Know This Already?” Quiz 199

Foundation Topics 202

Understanding and Configuring IPv6 202

Why IPv6? 202

The Format of an IPv6 Address 203

Understanding the Shortcuts 205

Did We Get an Extra Address? 205

IPv6 Address Types 206

Configuring IPv6 Routing 208

Moving to IPv6 210

Developing a Security Plan for IPv6 210

Best Practices Common to Both IPv4 and IPv6 210

Threats Common to Both IPv4 and IPv6 212

The Focus on IPv6 Security 213

New Potential Risks with IPv6 213

IPv6 Best Practices 214

Exam Preparation Tasks 216

Review All the Key Topics 216

Complete the Tables and Lists from Memory 216

Define Key Terms 217

Command Reference to Check Your Memory 217

Part III Mitigating and Controlling Threats

Chapter 10 Planning a Threat Control Strategy

“Do I Know This Already?” Quiz 221

Foundation Topics 224

Designing Threat Mitigation and Containment 224

The Opportunity for the Attacker Is Real 224

Many Potential Risks 224

The Biggest Risk of All 224

Where Do We Go from Here? 225

Securing a Network via Hardware/Software/Services 226

Switches 227

Routers 228

ASA Firewall 230

Other Systems and Services 231

Exam Preparation Tasks 232

Review All the Key Topics 232

Complete the Tables and Lists from Memory 232

Define Key Terms 232

Chapter 11 Using Access Control Lists for Threat Mitigation

“Do I Know This Already?” Quiz 235

Foundation Topics 238

Access Control List Fundamentals and Benefits 238

Access Lists Aren’t Just for Breakfast Anymore 238

Stopping Malicious Traffic with an Access List 239

What Can We Protect Against? 240

The Logic in a Packet-Filtering ACL 241

Standard and Extended Access Lists 242

Line Numbers Inside an Access List 243

Wildcard Masks 244

Object Groups 244

Implementing IPv4 ACLs as Packet Filters 244

Putting the Policy in Place 244

Monitoring the Access Lists 255

To Log or Not to Log 257

Implementing IPv6 ACLs as Packet Filters 259

Exam Preparation Tasks 263

Review All the Key Topics 263

Complete the Tables and Lists from Memory 263

Review the NAT Video Included with This Book 263

Define Key Terms 264

Command Reference to Check Your Memory 264

Chapter 12 Understanding Firewall Fundamentals

“Do I Know This Already?” Quiz 267

Foundation Topics 270

Firewall Concepts and Technologies 270

Firewall Technologies 270

Objectives of a Good Firewall 270

Firewall Justifications 271

The Defense-in-Depth Approach 272

Five Basic Firewall Methodologies 273

Static Packet Filtering 274

Application Layer Gateway 275

Stateful Packet Filtering 276

Application Inspection 277

Transparent Firewalls 277

Using Network Address Translation 278

NAT Is About Hiding or Changing the Truth About Source Addresses 278

Inside, Outside, Local, Global 279

Port Address Translation 280

NAT Options 281

Creating and Deploying Firewalls 283

Firewall Technologies 283

Firewall Design Considerations 283

Firewall Access Rules 284

Packet-Filtering Access Rule Structure 285

Firewall Rule Design Guidelines 285

Rule Implementation Consistency 286

Exam Preparation Tasks 288

Review All the Key Topics 288

Complete the Tables and Lists from Memory 288

Define Key Terms 288

Chapter 13 Implementing Cisco IOS Zone-Based Firewalls

“Do I Know This Already?” Quiz 291

Foundation Topics 294

Cisco IOS Zone-Based Firewall 294

How Zone-Based Firewall Operates 294

Specific Features of Zone-Based Firewalls 294

Zones and Why We Need Pairs of Them 295

Putting the Pieces Together 296

Service Policies 297

The Self Zone 300

Configuring and Verifying Cisco IOS Zone-Based Firewall 300

First Things First 301

Using CCP to Configure the Firewall 301

Verifying the Firewall 314

Verifying the Configuration from the Command Line 315

Implementing NAT in Addition to ZBF 319

Verifying Whether NAT Is Working 322

Exam Preparation Tasks 324

Review All the Key Topics 324

Review the Video Bonus Material 324

Complete the Tables and Lists from Memory 324

Define Key Terms 325

Command Reference to Check Your Memory 325

Chapter 14 Configuring Basic Firewall Policies on Cisco ASA

“Do I Know This Already?” Quiz 327

Foundation Topics 330

The ASA Appliance Family and Features 330

Meet the ASA Family 330

ASA Features and Services 331

ASA Firewall Fundamentals 333

ASA Security Levels 333

The Default Flow of Traffic 335

Tools to Manage the ASA 336

Initial Access 337

Packet Filtering on the ASA 337

Implementing a Packet-Filtering ACL 338

Modular Policy Framework 338

Where to Apply a Policy 339

Configuring the ASA 340

Beginning the Configuration 340

Getting to the ASDM GUI 345

Configuring the Interfaces 347

IP Addresses for Clients 355

Basic Routing to the Internet 356

NAT and PAT 357

Permitting Additional Access Through the Firewall 359

Using Packet Tracer to Verify Which Packets Are Allowed 362

Verifying the Policy of No Telnet 366

Exam Preparation Tasks 368

Review All the Key Topics 368

Complete the Tables and Lists from Memory 368

Define Key Terms 369

Command Reference to Check Your Memory 369

Chapter 15 Cisco IPS/IDS Fundamentals

“Do I Know This Already?” Quiz 371

Foundation Topics 374

IPS Versus IDS 374

What Sensors Do 374

Difference Between IPS and IDS 374

Sensor Platforms 376

True/False Negatives/Positives 376

Positive/Negative Terminology 377

Identifying Malicious Traffic on the Network 377

Signature-Based IPS/IDS 377

Policy-Based IPS/IDS 378

Anomaly-Based IPS/IDS 378

Reputation-Based IPS/IDS 378

When Sensors Detect Malicious Traffic 379

Controlling Which Actions the Sensors Should Take 381

Implementing Actions Based on the Risk Rating 382

IPv6 and IPS 382

Circumventing an IPS/IDS 382

Managing Signatures 384

Signature or Severity Levels 384

Monitoring and Managing Alarms and Alerts 385

Security Intelligence 385

IPS/IDS Best Practices 386

Exam Preparation Tasks 387

Review All the Key Topics 387

Complete the Tables and Lists from Memory 387

Define Key Terms 387

Chapter 16 Implementing IOS-Based IPS

“Do I Know This Already?” Quiz 389

Foundation Topics 392

Understanding and Installing an IOS-Based IPS 392

What Can IOS IPS Do? 392

Installing the IOS IPS Feature 393

Getting to the IPS Wizard 394

Working with Signatures in an IOS-Based IPS 400

Actions That May Be Taken 405

Best Practices When Tuning IPS 412

Managing and Monitoring IPS Alarms 412

Exam Preparation Tasks 417

Review All the Key Topics 417

Complete the Tables and Lists from Memory 417

Define Key Terms 417

Command Reference to Check Your Memory 418

Part IV Using VPNs for Secure Connectivity

Chapter 17 Fundamentals of VPN Technology

“Do I Know This Already?” Quiz 423

Foundation Topics 426

Understanding VPNs and Why We Use Them 426

What Is a VPN? 426

Types of VPNs 427

Two Main Types of VPNs 427

Main Benefits of VPNs 427

Confidentiality 428

Data Integrity 428

Authentication 430

Antireplay 430

Cryptography Basic Components 430

Ciphers and Keys 430

Ciphers 430

Keys 431

Block and Stream Ciphers 431

Block Ciphers 432

Stream Ciphers 432

Symmetric and Asymmetric Algorithms 432

Symmetric 432

Asymmetric 433

Hashes 434

Hashed Message Authentication Code 434

Digital Signatures 435

Digital Signatures in Action 435

Key Management 436

IPsec and SSL 436

IPsec 436

SSL 437

Exam Preparation Tasks 439

Review All the Key Topics 439

Complete the Tables and Lists from Memory 439

Define Key Terms 439

Chapter 18 Fundamentals of the Public Key Infrastructure

“Do I Know This Already?” Quiz 441

Foundation Topics 444

Public Key Infrastructure 444

Public and Private Key Pairs 444

RSA Algorithm, the Keys, and Digital Certificates 445

Who Has Keys and a Digital Certificate? 445

How Two Parties Exchange Public Keys 445

Creating a Digital Signature 445

Certificate Authorities 446

Root and Identity Certificates 446

Root Certificate 446

Identity Certificate 448

Using the Digital Certificates to get the Peer’s Public Key 448

X.500 and X.509v3 Certificates 449

Authenticating and Enrolling with the CA 450

Public Key Cryptography Standards 450

Simple Certificate Enrollment Protocol 451

Revoked Certificates 451

Uses for Digital Certificates 452

PKI Topologies 452

Single Root CA 453

Hierarchical CA with Subordinate CAs 453

Cross-Certifying CAs 453

Putting the Pieces of PKI to Work 453

Default of the ASA 454

Viewing the Certificates in ASDM 455

Adding a New Root Certificate 455

Easier Method for Installing Both Root and Identity certificates 457

Exam Preparation Tasks 462

Review All the Key Topics 462

Complete the Tables and Lists from Memory 462

Define Key Terms 463

Command Reference to Check Your Memory 463

Chapter 19 Fundamentals of IP Security

“Do I Know This Already?” Quiz 465

Foundation Topics 468

IPsec Concepts, Components, and Operations 468

The Goal of IPsec 468

The Play by Play for IPsec 469

Step 1: Negotiate the IKE Phase 1 Tunnel 469

Step 2: Run the DH Key Exchange 471

Step 3: Authenticate the Peer 471

What About the User’s Original Packet? 471

Leveraging What They Have Already Built 471

Now IPsec Can Protect the User’s Packets 472

Traffic Before IPsec 472

Traffic After IPsec 473

Summary of the IPsec Story 474

Configuring and Verifying IPsec 475

Tools to Configure the Tunnels 475

Start with a Plan 475

Applying the Configuration 475

Viewing the CLI Equivalent at the Router 482

Completing and Verifying IPsec 484

Exam Preparation Tasks 491

Review All the Key Topics 491

Complete the Tables and Lists from Memory 491

Define Key Terms 492

Command Reference to Check Your Memory 492

Chapter 20 Implementing IPsec Site-to-Site VPNs

“Do I Know This Already?” Quiz 495

Foundation Topics 498

Planning and Preparing an IPsec Site-to-Site VPN 498

Customer Needs 498

Planning IKE Phase 1 500

Planning IKE Phase 2 501

Implementing and Verifying an IPsec Site-to-Site VPN 502

Troubleshooting IPsec Site-to-Site VPNs 511

Exam Preparation Tasks 526

Review All the Key Topics 526

Complete the Tables and Lists from Memory 526

Define Key Terms 526

Command Reference to Check Your Memory 526

Chapter 21 Implementing SSL VPNs Using Cisco ASA

“Do I Know This Already?” Quiz 529

Foundation Topics 532

Functions and Use of SSL for VPNs 532

Is IPsec Out of the Picture? 532

SSL and TLS Protocol Framework 533

The Play by Play of SSL for VPNs 534

SSL VPN Flavors 534

Configuring SSL Clientless VPNs on ASA 535

Using the SSL VPN Wizard 536

Digital Certificates 537

Authenticating Users 538

Logging In 541

Seeing the VPN Activity from the Server 543

Configuring the Full SSL AnyConnect VPN on the ASA 544

Types of SSL VPNs 545

Configuring Server to Support the AnyConnect Client 545

Groups, Connection Profiles, and Defaults 552

One Item with Three Different Names 553

Split Tunneling 554

Exam Preparation Tasks 556

Review All the Key Topics 556

Complete the Tables and Lists from Memory 556

Define Key Terms 556

Chapter 22 Final Preparation

Tools for Final Preparation 559

Pearson IT Certification Practice Test Engine and Questions on the CD 559